The invention relates to systems and methods for protecting users from malicious software, and in particular to software whitelisting.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, Trojan horses, and rootkits, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data, identity theft, and loss of productivity, among others.
Computer programs dedicated to malware scanning employ various methods of detecting and eliminating malware from user computer systems. Such methods include behavior-based techniques and content-based techniques. Behavior-based methods may involve allowing a suspected program to execute in an isolated virtual environment, identifying malicious behavior, and blocking the execution of the offending program. In content-based methods, the contents of a suspected file are commonly compared to a database of known malware-identifying signatures. If a known malware signature is found in the suspected file, the file is labeled as malicious.
Other methods of combating malware employ application whitelisting, which comprises maintaining a list of software and behaviors that are allowed on a user's computer system, and blocking all other applications from executing. Such methods are particularly effective against polymorphic malware, which is able to randomly modify its malware-identifying signature, rendering conventional content-based methods ineffective.
Some whitelisting applications employ hash values to identify and ensure the integrity of whitelisted software. A cryptographic hash may be created for a file or group of files affiliated with a whitelisted application and stored for reference. The respective application is then authenticated by comparing the stored hash to a new hash generated at runtime.
The performance of anti-malware whitelisting methods may depend on the capability to maintain and update whitelist databases in an efficient and flexible manner.